Detect Vault 1.11+ import, update default issuer

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
hashicorp · Nov 3, 2022 · eeed745 · eeed745
1 parent 617a5f2
commit eeed745
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go
@@ -551,13 +551,34 @@ func (v *VaultProvider) GenerateIntermediate() (string, error) {
 	}
 
 	// Set the intermediate backend to use the new certificate.
-	_, err = v.writeNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath+"intermediate/set-signed", map[string]interface{}{
+	importResp, err := v.writeNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath+"intermediate/set-signed", map[string]interface{}{
 		"certificate": intermediate.Data["certificate"],
 	})
 	if err != nil {
 		return "", err
 	}
 
+	if importResp != nil {
+		// Assume we're on Vault 1.11+. We'll assume we only have one issuer
+		// with a key.
+		mapping := importResp.Data["mapping"].(map[string]string)
+		var intermediateId string
+		for issuer, key := range mapping {
+			if key != "" {
+				intermediateId = issuer
+				break
+			}
+		}
+
+		// Now post it to the default issuer.
+		_, err = v.writeNamespaced(v.config.IntermediatePKINamespace, v.config.IntermediatePKIPath+"config/issuers", map[string]interface{}{
+			"default": intermediateId,
+		})
+		if err != nil {
+			return "", err
+		}
+	}
+
 	return v.ActiveIntermediate()
 }